Reference Guide
Manage Policies
164
the identification field and allowed identification field. The allowed
identification field is used in combination with the Deny Write Access to
Removable Drives Not Protected by BitLocker policy to help control the use
of removable drives in the organization.
This policy must be set to Selected to use the policies Set Organizational
Unique Identifiers and Set Allowed Organizational Unique Identifiers.
Set Organizational
Unique Identifiers
Up to 260 characters
The identification field allows you to associate a unique organizational
identifier to BitLocker-protected drives. This identifier is automatically
added to new BitLocker-protected drives and can be updated on existing
BitLocker-protected drives using the Manage-BDE command-line tool. An
identification field is required for management of certificate-based data
recovery agents on BitLocker-
protected drives and for potential updates to
the BitLocker To Go Reader. BitLocker will only manage and update data
recovery agents when the identification field on the drive matches the
value configured in the identification field. In a similar manner, BitLocker
will only update BitLocker To Go Reader when the identification field on
the drive matches the value configured for the identification field.
To use this policy, Enable Organizational Unique Identifiers must be set to
Selected.
Set Allowed
Organizational
Unique Identifiers
Up to 260 characters
The allowed identification field is used in combination with the Deny Write
Access to Removable Drives Not Protected by BitLocker policy to help
control the use of removable drives in the organization. It is a comma
separated list of identification fields from your organization or other
external organizations.
To use this policy, Enable Organizational Unique Identifiers must be set to
Selected.
Prevent Memory
Overwrite on
Restart
Not Selected
Selected
Not Selected
Selected prevents memory from being overwritten on restart. Preventing
memory overwrite may improve restart performance, but will increase the
risk of exposing BitLocker secrets. When Not Selected, BitLocker secrets
are removed from memory when the computer restarts.
Enable Smart Card
Certificate Identifier
Not Selected
Selected
Not Selected
This policy allows or denies an object identifier to be specified for
enhanced key usage with a certificate.
This policy must be set to Selected to use the policy Smart Card Certificate
Identifier.
Smart Card
Certificate Identifier
1.3.6.1.4.1.311.67.1.1
1.3.6.1.4.1.311.67.1.1
This policy provides for an object identifier to be specified for enhanced
key usage with a certificate. BitLocker can identify which certificates may
be used to authenticate a user certificate to a BitLocker drive by matching
the object identifier in the certificate with the object identifier that is
defined by this policy. Use caution if changing the default value.
To use this policy, Enable Smart Card Certificate Identifier must be set to
Selected.
See basic settings
Bitlocker Encryption - Operating System Volume Settings
Allow Enhanced
PINs for Startup
Not Selected
Selected
Not Selected
Selected allows enhanced startup PINs to be used with BitLocker.
Enhanced startup PINs permit the use of characters including uppercase
and lowercase letters, symbols, numbers, and spaces. This policy setting is
applied when you turn on BitLocker.
Number of
Characters
Required in PIN
4
4-20 digits
This policy configures the minimum length for a TPM startup PIN. The
startup PIN must have a minimum length of 4 digits and can have a